The Holes in Microsoft’s Data Protection Pledge

Microsoft said it would let its customers segregate their computerized data outside the U.S. But the move may not shield foreign companies from NSA surveillance.

Associated Press

By Shira Ovide and Danny Yadron

Microsoft wants to keep its customers’ data from the prying eyes of U.S. spies and cops. But the company may not be able to honor its pledge.

Brad Smith, Microsoft’s general counsel, said the company would allow its foreign customers to store their computerized information only in Microsoft data centers outside the U.S. A spokeswoman for Microsoft confirmed Smith’s comments, made in an interview with the Financial Times.

In principle, Smith’s remarks mean a Microsoft user in Germany – where revelations of National Security Agency surveillance efforts have spooked politicians, companies and consumers—can be assured its data would never leave Europe.

But data-policy experts said Microsoft, as a U.S. company, is obligated to turn over data demanded lawfully by the NSA or a U.S. law-enforcement agency, no matter whether Microsoft’s computers are in Seattle, Dubai or Taipei.

“What matters more than where the data is, is where the system administrators are and who can order them to do things,” said Christopher Soghoian, a privacy researcher at the American Civil Liberties Union. “As long as (a company) has a presence, the data is vulnerable.”

Daniel Castro, senior analyst with the Information Technology & Innovation Foundation, a policy-research group, said Microsoft’s move may be a test of the patchwork of different national laws over who controls computerized information.

“They’re almost teeing up this conflict so maybe it will finally get resolved,” he said. Castro’s organization, which has studied the impact of NSA revelations on the technology industry, has received funding from Microsoft and other tech companies.

The Microsoft spokeswoman declined to comment, but referred to a December blog post from Smith, who said the company would “assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.”

Note: A prior version of this post said a German user could be assured its data would be housed in Germany. Microsoft’s pledge would require only that the data be kept in Europe.